April 21st, 2003, 05:58 AM
is it a security hole in Mandrake 9.1???
when u are logged on as a normal user.............click on a rpm file that is to be installed.it askes for root password......after installation click on any other rpm that is to be installed and it gopes on smoothely without a password..............that is once root authenticates himself with the grpmi he remains authenticated for the whole session??
do u think it a security problem??? i suppose though not too serious it a security flaw and should be corrected....
i have posted the same on mandrake security list.
April 21st, 2003, 06:08 AM
security holes are teh suk. you might as well report it, give those hardcore coders some more work.
although; if a user authenticates, they usually *are* root.. so it isnt really a hole unless they forget to log off, and the computer is public. users that forget to log off on public computers are teh suk.
April 21st, 2003, 02:24 PM
Have you installed a rpm then done something else for a couple minutes and then tried?
I don't know specifically for Mandrake or any other Linux's for that matter, but it would seem that if you were installing many rpm's in one session, it would be handy if you didn't have to authenticate for everyone. So that if you installed a couple and then got a cup of coffee and came back it would timeout and you'd have to re-enter the root pass.
I only suggest this because that is how I have found sudo to operate, and so maybe that is what the case is.
And like ownage said, this would only really be a problem if you left your computer logged in..., something that if ou are concerned with security you wouldn't be doing anyway.
The owl of Minerva spreads its wings only with the falling of dusk. -Hegel
April 21st, 2003, 02:41 PM
The RPM manager runs with the root context after you install the first RPM, if you where to close the RPM manager then reopen it and try to install an RPM it would ask you for root again. Not really a security issue and more then su or sudo are...unless you routinely walk away from a publicly accessible system with root logged in, but thatís a security problem with the operator not the system.